Your HR and Payroll compliance and policy solution! Comply with federal, state, and international laws, find answers to your most challenging questions, get timely updates with email alerts, and more with our suite of products.

Judge Esther Salas ruled that it is not necessary for Congress to have explicitly given the FTC authority to wield the FTC Act against companies who cause consumer and business harm by maintaining weak data security systems. Nor is it necessary, the court said, for the FTC to promulgate prior data security regulations explaining in detail which security practices are lawful and which are not.

The court noted that the Ninth Circuit, in FTC v. Neovi Inc., 604 F.3d 1150 (9th Cir. 2010), and the Tenth Circuit in FTC v. Accusearch Inc., 570 F.3d 1187 (10th Cir. 2009), have already affirmed FTC “unfairness” enforcement actions without preexisting rules or regulations addressing the specific conduct at issue. In Judge Salas' view, Wyndham was essentially asking for a FTC Act carve-out for data security, a request she found no basis in the law to grant.

“Even if the case does not immediately go up for appeal, the FTC has a long way to go before it can declare victory here.”

Stephen P. SatterfieldCovington & Burling LLP, Washington

Along the way, the court also held that the FTC could proceed against Wyndham on its additional allegation that the gap between the promises Wyndham made in its privacy policy and the actual circumstance of its data security practices was sufficiently wide to support a deceptive practices claim under the FTC Act.

Facts

Between April 2008 and January 2010, the defendants, Wyndham Worldwide Corp. and related business entities, suffered a series of intrusions into their computer networks, resulting in the loss of more than 619,000 payment card account numbers, according to the FTC complaint. The FTC further alleged that these intrusions proximately led to more than $10.6 million in fraud losses.

According to the FTC, these losses were attributable to unreasonably weak data security practices by Wyndham. The FTC alleged that Wyndham:

• failed to limit access among different computer networks through the use of readily available measures, such as firewalls;

• Wyndham engaged in “deceptive” practices by misrepresenting in its privacy policy that it took “commercially reasonable efforts” to secure customers’ payment card data.

Wyndham's Legal Challenge

Wyndham moved to dismiss, arguing that Congress had failed to give the FTC the necessary authority to enforce data security standards by using the FTC Act's “unfairness” authority against it. Further, Whydham argued that the FTC's practice of using enforcement actions and thereby creating a data security standard piecemeal, on a case-by-case-basis, failed to give it notice of which practices were lawful and which were not.

The court rejected Wyndham Hotels' argument that the FTC had exceeded its statutory authority for the same reasons identified by the U.S. Supreme Court in FDA v. Brown & Williamson Tobacco Corp., 529 U.S. 120 (2000), a case in which the high court ruled that the FDA lacked authority to mandate disclaimers on tobacco packages. Brown& Williamson involved a situation in which Congress clearly intended to exclude tobacco products from the FDA's enforcement authority, the district court noted here. No such congressional intent is evident with respect to the FTC and data security; in fact, the court added, nothing in Congress's several specific enactments of FTC authority in the area of data security--e.g., the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Children's Online Privacy Protection Act--contradict the FTC's assertion of jurisdiction to enforce data privacy standards under the FTC Act.

'Significant Win' for FTC

“This is obviously a significant win for the FTC,” Stephen P. Satterfield, an attorney in the Privacy and Data Security practice group at Covington & Burling LLP, Washington, D.C., told Bloomberg BNA. “But it’s important to recognize that this is just Round 1 of what could be a very long battle.”

Satterfield said it is likely that Wyndham Hotels--the first company, after a long line of settlements in similar cases, to challenge the FTC's authority--will seek to immediately appeal the decision to the Third Circuit. “Even if the case does not immediately go up for appeal, the FTC has a long way to go before it can declare victory here,” he said.

All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to books@bna.com.

Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)

Notify me when updates are available (No standing order will be created).